WAIT! STOP!

Getting a headache? No wonder. A medical practice shouldn’t have to double as an IT support company.

There’s an easier way. It’s called a patient portal, and it lets your practice keep physician-patient communications secure without being too complex or asking patients to download a single thing.

A patient portal is nothing more than a protected Web site that resides on your network server. To access the site, patients have to enter a username and password. Only then can they communicate with the practice or read messages from their physicians. By keeping the Web site on your server, you can make sure your communications remain private.

Family Practice Associates of Lexington uses a portal to communicate with their patients. “We accept requests for appointments, prescription refills, and some basic questions via the Web site in a secure environment,” says Miller.

Luckily, setting up a patient portal isn’t very difficult. In fact, says Dunn, many practice management programs already have some sort of portal component. She recommends using a patient portal over e-mail encryption. Talk to your practice management software vendor to evaluate what option is best for your needs.

3. Grill your vendors
In fact, you should talk to all of your software vendors about their security measures. Most people assume their EMR vendor has adequate security, but that may not be true.

“Don’t be satisfied with hearing, ‘Yes, we adhere to all HIPAA security rules and regulations,’” says Dunn. “Tell me what you mean by that. What ones are you referring to? And how do you adhere to them? Some people don’t even ask, so they don’t really know.”

Also, don’t be surprised if you get an answer you weren’t expecting. Security isn’t the highest priority for many EMR vendors, says Chang. Consequently, only the newest EMR vendors are very tight with security and encrypting user-to-network connections. In fact, Chang estimates that only one or two out of the approximately 300 EMR products on the market today incorporate the very highest level of encryption services.

For many practices, the best solution is to outsource security to people who understand networks and computers better than they do. That’s what Family Practice Associates of Lexington does. With 10 family physicians, two midlevel providers, and a family therapist on staff, the practice can’t afford to hire a full-time IT department for their needs — even if they do have more than 100 workstations!

“There are some of the larger practices with multiple locations that have in-house IT staff, but most of us in the small- to medium-sized group setting . . . tend to contract out the more demanding parts,” says Miller.

If you decide to use an outside company for your networking and security needs, Miller recommends locating a vendor specifically experienced with medical practices. “Not only from the standpoint of the extra security measures that need to go along with patient confidentiality, but also so that they understand the medical environment,” Miller says. “The bottom line is that I can’t be down in the middle of the day for three hours while we’re trying to see patients. It’s just absolutely impossible.”

4. Have a backup plan
Most people don’t think about backing up their data as a security measure, but an important part of HIPAA’s security requirements is data protection and recovery. HIPAA regulations require that your practice have a plan for backing up patient information, storing backups, and retrieving data in the case of an emergency. It’s also a good idea for your practice to have such a plan in place so it can continue operating if something happens to the network.

Family Practice Associates of Lexington has multiple redundancy measures in place when it comes to data protection. “We do have tape backups here on site. We back up on a nightly basis. We keep the tapes here in a fireproof safe, plus we take a copy off-site on a daily basis so that we don’t ever have all of our data in one place,” explains Miller. “More important, our practice management and our EMR are backed up remotely to our software vendor. Our network is backed up to our networking vendor. So we are backed up three or four different ways.”

And make sure that any data that leaves your practice is also protected. “One of the mistakes practices make is they make a backup tape, and they leave it off-site,” says Chang. “What if the tape was lost or stolen? I can grab that tape and stick it in any tape drive and be able to read your information.” Be sure to encrypt or password protect any of your backup tapes or network drives to avoid this scenario.